The HummingBad malware is back with a new variant, named “HummingWhale,” which has been found in more than 20 apps on Google Play.

The malware-infected apps were downloaded several million times by users, and researchers from security company Check Point discovered the malware and notified the Google security team about the apps, which have since been removed from the Google Play store.

HummingWhale is able to perform ad fraud better than before by using “new, cutting-edge technologies,” according to Check Point’s mobile cyber security analyst Oren Koriat in a blog post. Check Point first discovered HummingBad in February 2016, when it employed a chain-attack tactic and rootkit to gain control over infected Android devices, according to him. He added that it was probably “only a matter of time before HummingBad evolved and made its way onto Google Play again.”

(Related: Google outlines Android security improvements)

Check Point became suspicious of HummingWhale when the researchers analyzed one of the infected apps, which registered several events on boot like TIME_TICK, SCREEN_OFF, and INSTALL_REFERRER, according to Koriat. All of the applications were uploaded under names of fake Chinese developers, and the researchers were able to locate 16 additional package names related to the same malware, also found on Google Play.

The Check Point research team said in an e-mail to SD Times that “This time, the apps were mainly connected to camera features, but some were connected to other activities, such as gaming and so on.

“It is important to beware [of] apps without any regard to their specific purpose, as any app can have embedded malware in it.

Koriat wrote that this new malware was also heavily packaged, and “contained its main payload in the group.png file, which is, in fact, an APK, meaning they can be run as executables.”

The APK acts as a dropper, which uses an Android plug-in called DroidPlugin, developed by Qihoo 360 (a Chinese company known for its anti-virus software) to upload fraudulent apps on a virtual machine. Overall, the malware’s method uses tactics like installing apps without gaining permission, disguising the malicious activity that allows it to infiltrate Google Play, installing on an infinite number of fraudulent apps without overloading the device, wrote Koriat.

The fraudulent ratings left by malware is a reminder to users to not trust Google Play for protection. Instead, they need to take advanced security measures capable of both “static and dynamic analysis of apps,” said the research team.

“Such security measures can detect and block an app displaying a malicious activity, even if this activity is well-hidden in its code,” they said.

Developers can also protect their own applications by only using trusted code depositories, and sticking to secure coding so that it cannot be tampered with, according to the research team. They added that it’s important to clarify that “these apps hid the malware intentionally, under a false pretense of providing the user some sort of service.”